Ask a Lawyer is a recurring column where legal experts answer important questions for gyms and professionals in the climbing industry. This time, CBJ legal consultant Gregory Reda, an attorney with Phelps Dunbar, gets into the weeds of data privacy. Still somewhat of an under-covered topic in the industry, Reda explains why discussing personal information is now a must-have conversation for businesses―including climbing gyms. Got a question about your gym, your employees, or anything else in the wide world of climbing? Submit your legal question here.
QUESTION: “How can climbing gyms keep up with rapidly changing laws that protect personal information?”
The rules that govern information privacy and security are changing quickly, and the risks of non-compliance—or worse, a data breach—are more severe than ever. Every climbing gym, no matter its size, handles and maintains some amount of personal information, and likely a good bit more than most gyms realize. As a result, every gym should review the personal information it handles. This includes the data it collects, maintains, stores, uses, shares and transfers. But where to begin?
Defining Personal Information
A good starting point is to define and classify “personal information,” so a gym knows what it needs to monitor and protect. Unfortunately, no uniform definition of “personal information” currently exists—it varies by situation and location. The majority of states have adopted definitions that capture the types of information that most of us would consider personal and confidential.
For example, many state laws define “personal information” as specific pieces of information, such as a name and driver’s license number, payment information, biometric data (e.g., fingerprints, facial scans), or a passport or Social Security number. Other state laws, however, define it in broader terms. For example, Virginia will soon define “personal information” as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” once its new privacy law goes into effect. Virginia’s definition could potentially include something as simple as an email address.
Handling Personal Information
Correspondingly, the U.S. does not have a single, comprehensive law that governs how a company can (or should) handle or protect personal information. Instead, the country’s data privacy laws consist of a mosaic of individual state laws. These often protect residents of that state, and in some instances, provide industry-specific guidance (commonly found in regulated industries like finance and health care). Companies outside of these regulatory sectors, such as climbing gyms, must keep up with a growing body of state laws on the proper handling of personal information to avoid potential legal risks.
Take Alabama’s security breach notification law, for example. If a company handles certain personal information about Alabama residents, it must employ reasonable measures to protect the information against a security breach. These include considering naming an employee to oversee the company’s security measures and requiring service providers, through a contract, to also employ proper safeguards. If a company handles similar information about California residents, however, it may be subject to more burdensome legal duties under that state’s privacy law. California law grants its residents, among other things, the right to know what personal information a company handles about them and the ability to make sure the information is erased.
Personal Information in Gyms
All fifty states now have some rules on how their residents’ personal information can be handled. So each climbing gym is covered by at least one data privacy law applicable to either the location of the gym or the location of the individuals whose data the gym maintains (this is in addition to the risk of experiencing a data breach and the costly class action litigation that may follow).
At a minimum, all gyms have personal information relating to their employees (e.g., Social Security numbers, drivers’ licenses, banking information) and some amount of personal information on their members and guests. Depending on its point-of-sale (POS) system, a single gym can easily process and store hundreds or thousands of financial transactions, including credit card data and banking information. As a result, gyms must be mindful of the personal information they maintain and the corresponding data privacy laws or regulations applicable to them.
Taking an Information Inventory
Complicating compliance efforts, data privacy and security regulations vary and are added to often. That said, there are some best practices for all gyms to consider, no matter how large or small. A gym that handles personal information, whether from one or multiple states, should start by conducting an inventory of the information it handles to adapt to this shifting legal landscape. An information inventory detects:
- The personal information a gym collects
- Why and how the gym handles it
- Whom it is shared with and how that person is handling it
- How it is stored and deleted
- What security measures are employed throughout the information’s life cycle
Once the inventory is complete, the gym can find and assess the changing risks (legal, financial and reputational) associated with the personal information and respond. It can also find potential weaknesses in its data protection measures. For example, not all gyms may be aware of how their service providers process information. Maria Trysla, Business Leader of Rock Gym Pro (RGP)―which provides the most prevalent POS software in climbing gyms―says:
“The challenge is to stay current with the various laws and regulations regarding privacy [which] may differ across regions and/or countries. Whereas we find a common ground and apply security and privacy measures that address the concerns of these laws. As additional privacy laws are developed, we will adapt RGP to match the privacy requirements. Ultimately, the responsibility of protecting the customer’s data is the responsibility of the gym/facility.”
Responding to Risks
Additionally, while Rock Gym Pro and other companies will strive to comply with privacy requirements, it should not be taken as a given that every service provider will strive to do so. Gyms should ensure that, at a minimum, the service providers which process personal information on its behalf are required to:
- Only use the gym’s information for particular purposes
- Maintain certain safeguards when handling the gym’s information
- Timely notify the gym of a security incident
Even after addressing security vulnerabilities, a gym reliant on computer networks should also consider cyber insurance, which can cover costs of responding to and recovering from a cyber attack. Selecting cyber insurance coverage requires a gym to evaluate the privacy and security risks it faces, which an information inventory will help with. How much coverage a gym needs will depend on multiple factors, such as the volume and sensitivity of data being handled. If a gym decides to obtain such insurance, a specific cyber policy or addendum is likely needed, because most commercial general liability policies do not cover cyber incidents.
Free Resources for Gyms
Free resources are available to help a gym conduct an information inventory and bolster its security practices. The National Conference of State Legislatures provides a list of state security breach notification laws, available here, and other state laws related to digital privacy, available here. Not all relevant laws will be listed in these links, but they offer a place to start looking for potentially relevant legal obligations when handling personal information.
In addition, the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 provides a cybersecurity framework on which any business can develop their cybersecurity program. The NIST Framework, available here, does not provide a single set of requirements, but rather, by following its process, enables a business to develop its own security protocols designed to meet its needs.
Information inventories are the baseline for assessing a gym’s data protection measures and privacy procedures. A gym should review and update its inventory on a regular basis and especially when its business operations change. Doing so helps a gym better handle personal information, prepare for a security incident, and address changing legal requirements. And, while these may not sound like pressing concerns to some gyms, the growing risk of civil fines and reputational harm for privacy non-compliance and the rising cost of data breach litigation show that data privacy is now critical for all companies. Climbing gyms, unfortunately, are not immune from these risks and must take proper precautions.
Note: This column offers general advice and is not intended to be used as direct legal counsel. Gym owners should consult a lawyer for their facility’s specific legal matters. Reda can be contacted directly here.
Gregory Reda is a data privacy attorney at Phelps Dunbar, where he advises clients on state, federal, and international data privacy laws. He helps clients better understand the risks associated with handling data and how to balance them with business goals and a rapidly changing legal landscape. He is certified as a privacy professional (CIPP/US) by the International Association of Privacy Professionals.